Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Tech News > Critical OpenSSL 'HeartBleed' bug uncovered, affects HTTPS encryption

Critical OpenSSL 'HeartBleed' bug uncovered, affects HTTPS encryption
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Apr 8, 2014, 02:42 PM
 
A major security flaw has been discovered in the OpenSSL cryptographic software library, jeopardizing security for a large number of SSL/TLS-based transmissions. The fault, named the "Heartbleed Bug," has apparently existed since March last year but only recently uncovered, and puts at risk not only the contents of encrypted online communications, but also the SSL keys used in the transmission.

Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers. The affects of the bug are varied and wide-ranging, with ZDNet reporting it as allowing attackers to reveal credit card details in a transaction over HTTPS. The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. The Heartbleed site dedicated to the bug, created by Codenomicon Defensics, describes Heartbleed as allowing attackers to "eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users."

Version 1.0.1 has a fix available, bringing it to 1.0.1g, with a similar patch for the 1.0.2 beta also being worked on. Service providers have been asked to install the bug fixes as quickly as possible.

OpenSSL versions 1.0.0 and 0.9.8 are reportedly not affected by the flaw.
( Last edited by NewsPoster; Apr 8, 2014 at 02:50 PM. )
     
The Vicar
Dedicated MacNNer
Join Date: Jul 2009
Status: Offline
Reply With Quote
Apr 8, 2014, 05:30 PM
 
Oh, but don't forget — open source software is inherently more secure than anything else! Because many eyes! And... and... freedom! This didn't actually happen, and it isn't serious! Stop reading at once!
     
DiabloConQueso
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Apr 8, 2014, 05:48 PM
 
It sounds like you have both a bias against and a lack of understanding concerning open-source software.
     
Charles Martin
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Apr 8, 2014, 06:55 PM
 
The Vicar is prone to hyperbole, but this is the second serious security flaw found in an open-source project of late -- and in this case, it was a flaw introduced into a later version, not originally present. I think it is fair to say that everybody in the industry -- Google, Apple, MS, the open-source community, everybody -- needs to make security a bigger priority than it has been.
Charles Martin
MacNN Editor
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Apr 8, 2014, 07:14 PM
 
Originally Posted by DiabloConQueso View Post
It sounds like you have both a bias against and a lack of understanding concerning open-source software.

Exactly, and the ignorance is particularly amusing here since it is very, very probable that Google, MS, Apple, et all use OpenSSL with their products.
     
Lifeisabeach
Fresh-Faced Recruit
Join Date: May 2010
Status: Offline
Reply With Quote
Apr 8, 2014, 11:58 PM
 
Chas is dead-on here. Just because open source could, in principle, have "more eyes" on it looking for bugs doesn't mean it's actually happening. Evidence of late suggests differently. As another example, look at TrueCrypt, the open source encryption software. They had to raise money to fund an independent audit because no one knows just how secure it really is. Hell, they don't even know who started the project in the first place.
     
The Vicar
Dedicated MacNNer
Join Date: Jul 2009
Status: Offline
Reply With Quote
Apr 9, 2014, 01:19 AM
 
"Many eyes" is foolishness. Most people — even most developers — really aren't good at writing code. It's the deep, dark secret of the software industry: developers are mostly bad at their jobs. (The increasing pressure to outsource coding projects contributes to this by making a lot of "developers" out of people who have no clue what they're doing, but is by no means responsible for the existence of the problem.) The people who contribute to open source projects are no exception to the rule; the only difference is that there's no way to get rid of them, and so you end up with the WikiPedia problem as described by Dave Kellett ( http://www.sheldoncomics.com/archive/071213.html ), only in software. (The perfect, dictionary-definition example of exactly this problem is the 2008 Debian SSL vulnerability, but there are many, many more.) "Many eyes" is only a good or useful thing if those eyes are connected to functioning brains, and most of them aren't, just as "you have access to the code" is only a good thing if you're willing to immerse yourself in an existing codebase to track down bugs or add new features, which generally takes up a massive amount of time, and which therefore most people aren't. (In fact, most people are willing to pay developers in order to AVOID having to develop code themselves. If they weren't, the software industry basically wouldn't exist.)

This bug, and the TLS bug from a little while back, are interesting because — in conjunction with the Apple's own TLS bug* — they illustrate that open source fails at least as badly as proprietary software. Only with proprietary software, it's easy to tell whether a patch has been installed. With open source, there's really no way of knowing, because open source projects are often suppurating piles of dependencies, sometimes even requiring outdated versions of their dependencies in order to compile. (Often for idiotic reasons; you might see OpenSSL included in a project which does something on the network not because OpenSSL is going to be used for networking, but because some dev on the other project wanted a string-formatting function from OpenSSL's logging code. The resulting project will probably not be vulnerable to OpenSSL's networking bugs... provided the developer did everything right, except that since most developers aren't actually good at development, they probably didn't.) There are also possibly firmware-type products out there which use OpenSSL, where the only way to deliver the code is a binary blob, and some of them may no longer be in active development, meaning that this bug may quietly live on essentially forever, with nobody the wiser. (And even if patches become available, it's not realistically possible to be certain whether they have actually propagated, because the major open-source OSes decouple practically every function of the OS from every other function. Having a patched version of Apache doesn't mean that you have a patched version of anything else.)

*And yes, Apple's bug was asinine and embarrassing. Using bracketless conditionals is a notorious cause of exactly that kind of problem, and there is no good reason to permit them in code which has implications for security or overall stability. I'm reasonably sure Apple has code formatting rules which devs are forced to adopt, which makes this even worse — one of the few times when formatting rules would actually have improved the actual code performance, and they dropped the ball. (Heck, I know for a fact that there exist automated tools to turn bracketless conditionals into bracketed ones, or at least detect them. They could have had a filter on their version control system to prevent this problem from even happening — but so could the open-source folks.)

So, to put it baldly: OpenSSL is at least as bad as Apple's proprietary code, and possibly worse, but where Apple's proprietary code makes it easy to determine whether appropriate patches are applied, the nature of open source introduces an impossible-to-overcome obstacle to ensuring that patches are both available and effective.
     
shawnde
Forum Regular
Join Date: Apr 2008
Location: Vancouver, Canada
Status: Offline
Reply With Quote
Apr 9, 2014, 03:32 AM
 
Well, it sounds like "The Vicar" knows what he's talking about.
     
Charles Martin
Mac Elite
Join Date: Aug 2001
Location: Maitland, FL
Status: Offline
Reply With Quote
Apr 9, 2014, 05:01 AM
 
Just for the record -- to address Besson3c's concerns -- Apple (and iCloud), Google and Microsoft do not appear to use OpenSSL and are thus in the 33 percent or so of web servers not affected by the issue.
Charles Martin
MacNN Editor
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Apr 9, 2014, 10:47 AM
 
Originally Posted by The Vicar View Post
"Many eyes" is foolishness. Most people — even most developers — really aren't good at writing code. It's the deep, dark secret of the software industry: developers are mostly bad at their jobs. (The increasing pressure to outsource coding projects contributes to this by making a lot of "developers" out of people who have no clue what they're doing, but is by no means responsible for the existence of the problem.) The people who contribute to open source projects are no exception to the rule; the only difference is that there's no way to get rid of them, and so you end up with the WikiPedia problem as described by Dave Kellett ( Sheldon® Comic Strip: Daily webcomic by Dave Kellett ), only in software.
This is the dumbest thing I have ever heard of regarding modern software development.

"Many eyes" can and usually is a huge benefit for code integrity- people's work gets checked. This is also why you have code reviews. Every organization I have ever worked for in my entire career has hired, nurtured and created stellar software developers. But they have all had stringent code practices. This is just my personal experience. However in all my exposure to the enterprise industry, I have hardly come across many "bad" developers.

This "deep, dark secret" or whatever you claim sounds like complete bullshit to me.
( Last edited by Grendelmon; Apr 9, 2014 at 12:09 PM. )
     
besson3c
Clinically Insane
Join Date: Mar 2001
Location: yes
Status: Offline
Reply With Quote
Apr 9, 2014, 07:01 PM
 
The Vicar: I don't really understand your argument. What you wrote about the possibilities of re-bundling older versions of library dependencies and compiling against older versions of things is true, open source is often a spiderweb of libraries, code, dependencies, etc. That is both its strength and weakness.

But this means that it is *possible* to do dubious things, perhaps even easier to do so in the open source world. It is, of course, possible to do dubious things writing any kind of code. However, where your argument breaks down, I think, is that because developers are generally morons, it is more likely you'll find bad stuff in the open source world. Is that an accurate summation?

If so, and to simultaneously address chas_m's point, what about the other key technologies behind a project that might use OpenSSL: nGinx/lighttpd/Apache, Bind, GCC, Rails/NodeJS/PHP/Python, caching servers, PostgreSQL/MySQL, Git, Dovecot/Cyrus IMAP, Postfix/Sendmail/etc., SSH, etc.? Why would companies the size of Apple/MS/Google use many of these technologies if their assessment of them was poor, and that they put their respective companies at risk with so much at stake? These technologies don't just do little trivial things, their importance is huge. Email alone is kind of a big deal.

You're right, more eyes in and of itself isn't better, but the potential for more of a certain calibre of eye is, for vetting purposes. I'm sure plenty of people have vetted OpenSSL over the years, but the quality of a maintained project of this nature is not static. A number of my servers are running OpenSSL 0.9.8 which is not affected by this bug, it could be that OpenSSL was in better hands back in this timeframe. The same is true of proprietary software - people come and go, resources are allocated and deallocated, fatigue and enthusiasm sets in, etc. People are human.

The main difference between open source and proprietary software to me is that open source software has the *potential* for high quality vetting. It doesn't mean that this always happens, or that just being dubbed open source makes this happen on its own. With open source software comes pros and cons, and as well there are often pros and cons in reinventing the wheel.

All of this is to say is that with the sorts of projects that open source development works well with (i.e. small, very specific tools and building blocks that can be pieced together to make things), the *upside* is potentially greater having things open.

Of course, there are also all sorts of political pros and cons for making things open source too, but that is a whole other matter.
     
wrenchy
Forum Regular
Join Date: Nov 2009
Status: Offline
Reply With Quote
Apr 10, 2014, 02:31 AM
 
Originally Posted by The Vicar View Post
"Many eyes" is foolishness.
Yes and everyone knows closed-source proprietary programs/code has NO bugs or flaws. None whatsoever.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 03:57 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,